1. Field of the Invention
The present invention relates generally to authentication, authorization and accounting systems, and more particularly to a centralized general purpose authentication, authorization and accounting server with support for multiple authentication transport protocols and multiple client types.
2. Related Art
Security is a major and continuing concern for managers and administrators of computer networks. For financial and security reasons, it is vitally important that only authorized users have access to the network. Additionally, access must be controlled so that users can only connect to systems and services in which they are entitled. For tracking and billing purposes, it is important to document the time users are logged onto the network and the services that are used. Finally, there is often a need to limit the number of times a user can simultaneously log onto the network.
Conventionally, each type of client provides a unique form of security for guarding against unauthorized break-ins and for controlling user access. For example, UNIX-type operating systems generally provide a user identification (UserID) and password scheme for authenticating pre-authorized users. Such systems also provide the ability to assign specific access rights for each user that is authorized to access the system Generally, data associated with pre-authorized users and their corresponding access rights are stored in a database on each client.
Other types of clients provide similar types of security measures using some form of a User ID and/or Password for authentication purposes. Sometimes encryption schemes are used to increase the level of security. Each client also provides an authorization mechanism to control user access to specific systems and services. Generally, each client maintains a separate database to store the user authentication and authorization information.
Generally, modem computer networks employ a variety of client types and have multiple points of access. For these networks it can be very difficult to manage, maintain and update user authentication and authorization information because such information is distributed among separate databases in a variety of clients. In addition, valuable storage resources are wasted because user data must be duplicated among the different client databases. This problem is multiplied when large networks with many points of access are implemented.
One solution to this problem is the use of distributed security servers. An example of a distributed security server is the Remote Authentication Dial-In User Service (RADIUS), provided by Livingston Enterprises, Inc. of Pleasonton California. Distributed security servers create a single centralized location for user authentication and authorization data. In this fashion, all user data is stored in a single location to facilitate the task of maintaining and updating user data. Further, by having all the data in one location, storage space is preserved because there is no need to duplicate user data on multiple machines.
Conventional distributed security servers are problematic in that they are designed to work with particular types of hardware and particular types of operating systems (i.e. client types). In addition, conventional security servers generally support a specific authentication transport protocol. Examples of authentication transport protocols in use today are: RADIUS transport protocol, provided by Livingston Enterprises, Inc.; Network Information Service (NIS), provided by SUN Microsystems Inc.; Kerberos, provided by the Massachusetts Institute of Technology; Microsoft Domain System (MDS), provided by Microsoft, Inc.; and AppleTalk by Apple Computer, Inc.
For many large computer networks, a variety of authentication transport protocols may be in use. For these networks, conventional security servers are inadequate to handle the different types of authentication transport protocols being used by clients on the network. Thus, multiple security servers must be used, or client software must be altered to support the authentication transport protocol being supported by the particular security server being used. The latter solution may not be possible for some client types. For example, it may not be possible to support Kerberos on a Macintosh computer system.
Additionally, conventional security systems typically only support specific types of operating systems. Examples of different operating systems include UNIX operating systems, Microsoft operating systems (Windows 95, Windows N/T and DOS) and Macintosh operating systems. For these networks, conventional security servers are inadequate to handle the variety of operating systems being used.
Still further, conventional security servers typically support authentication and authorization functions, but not accounting functions. Generally, user data used by conventional security servers is stored in a propriety format. For these systems, separate accounting databases and accounting systems are typically maintained. This is a waste of resources because much of the same data is used by both accounting and security systems. Therefore, it would be desirable to maintain a single database for both the accounting information and the user authentication and authorization information.
Accordingly, what is needed is a distributed security system capable of supporting a variety of authentication transport protocols used by a variety of client types and is capable of supporting accounting functionality from the same database used to store user authentication and authorization information.